Auto-Scaling for Palo Alto Networks VM-Series
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0 |
| ~> 4.54 |
Providers
| Name | Version |
|---|---|
| archive | n/a |
| ~> 4.54 | |
| random | n/a |
Modules
No modules.
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| autoscaler_metrics | A map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization). Each of the contained objects has attribute target which is a numerical threshold for a scale-out or a scale-in. Each zonal group grows until it satisfies all the targets. Additional optional attribute type defines the metric as either GAUGE, DELTA_PER_SECOND, or DELTA_PER_MINUTE. For full specification, see the metric inside the provider doc. | map | { "custom.googleapis.com/VMSeries/panSessionThroughputKbps": { "target": 700000 }, "custom.googleapis.com/VMSeries/panSessionUtilization": { "target": 70 } } | no |
| cooldown_period | The number of seconds that the autoscaler should wait before it starts collecting information from a new VM-Series. This prevents the autoscaler from collecting information when the VM-Series is initializing, during which the collected usage would not be reliable. Virtual machine initialization times might vary because of numerous factors. | number | 480 | no |
| create_pubsub_topic | Set to true to create a Pub/Sub topic and subscription. The Panorama Google Cloud Plugin can use this Pub/Sub to trigger actions when the VM-Series Instance Group descales. Actions include, removal of VM-Series from Panorama and automatic delicensing (if VM-Series BYOL licensing is used). For more information, please see Autoscaling the VM-Series on GCP. | bool | true | no |
| delicensing_cloud_function_config | Defining delicensing_cloud_function_config enables creation of delicesing cloud function and related resources.The variable contains the following configuration parameters that are related to Cloud Function: - name_prefix - Resource name prefix- function_name - Cloud Function base name- region - Cloud Function region- bucket_location - Cloud Function source code bucket location - panorama_address - Panorama IP address/FQDN- panorama2_address - Panorama 2 IP address/FQDN. Set if Panorama is in HA mode- vpc_connector_network - Panorama VPC network Name- vpc_connector_cidr - VPC connector /28 CIDR.VPC connector will be user for delicensing CFN to access Panorama VPC network. Example:{ name_prefix = "abc-" function_name = "delicensing-cfn" region = "europe-central1" bucket_location = "EU" panorama_address = "1.1.1.1" panorama2_address = "" vpc_connector_network = "panorama-vpc" vpc_connector_cidr = "10.10.190.0/28" } | object({ name_prefix = string function_name = string region = string bucket_location = string panorama_address = string panorama2_address = string vpc_connector_network = string vpc_connector_cidr = string }) | null | no |
| disk_type | The disk type that is attached to the instances of the VM-Series firewalls. | string | "pd-ssd" | no |
| image | Link to VM-Series PAN-OS image. Can be either a full self_link, or one of the shortened forms per the provider doc. | string | "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-1014" | no |
| machine_type | The instance type for the VM-Series firewalls. | string | "n2-standard-4" | no |
| max_vmseries_replicas | The maximum number of VM-Series per region/zone that the autoscaler can scale up to. The maximum number of VM-Series should not be lower than min_vmseries_replicas. | number | n/a | yes |
| metadata | Metadata for VM-Series firewall. The metadata is used to perform mgmt-interface-swap and for bootstrapping the VM-Series. Ex 1: Partial bootstrap to Panoramametadata = { type = "dhcp-client" op-command-modes = "mgmt-interface-swap" vm-auth-key = "012345601234560123456" panorama-server = "1.1.1.1" dgname = "my-device-group" tplname = "my-template-stack" dhcp-send-hostname = "yes" dhcp-send-client-id = "yes" dhcp-accept-server-hostname = "yes" dhcp-accept-server-domain = "yes" }Ex 2: Full configuration bootstrap from Google storage bucket.metadata = { mgmt-interface-swap = "enable" vmseries-bootstrap-gce-storagebucket = "your-bootstrap-bucket" ssh-keys = "admin:your-public-key" } | map(string) | {} | no |
| min_cpu_platform | The minimum CPU platform for the instance type of the VM-Series firewalls. | string | "Intel Cascade Lake" | no |
| min_vmseries_replicas | The minimum number of VM-Series per region/zone that the autoscaler can scale down to. This cannot be less than 0. | number | n/a | yes |
| name | The name of the VM-Series deployed. This value will be used as the base_instance_name and will be used as a prepended prefix for other created resources. | string | n/a | yes |
| named_ports | A list of named port configurations. The name identifies the backend port to receive the traffic from the global load balancers.named_ports = [ { name = "http" port = "80" }, { name = "app42" port = "4242" }, ] | list | [] | no |
| network_interfaces | List of the network interface specifications. Available options: - subnetwork - (Required|string) Self-link of a subnetwork to create interface in.- create_public_ip - (Optional|boolean) Whether to reserve public IP for the interface. | list(any) | n/a | yes |
| project_id | GCP Project ID to contain the created cloud resources. | string | null | no |
| region | The Google Cloud region for the resources. If null, provider region will be used. | string | null | no |
| regional_mig | Sets the managed instance group type to either a regional (if true) or a zonal (if false).For more information please see About regional MIGs. | bool | n/a | yes |
| scale_in_control_replicas_fixed | Fixed number of VM-Series instances that can be killed within the scale-in time window. See scale_in_control in the provider doc. | number | 1 | no |
| scale_in_control_time_window_sec | How far (in seconds) autoscaling should look into the past when scaling down. | number | 1800 | no |
| scopes | A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. See a complete list of scopes here. | list(string) | [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write" ] | no |
| service_account_email | IAM Service Account applied to the VM-Series instances. | string | null | no |
| tags | Tags to attach to the instance | list(string) | [] | no |
| target_pools | A list of target pool URLs to which the instance groups are added. Updating the target pools attribute does not affect existing VM-Series instances. | list(string) | null | no |
| update_policy_type | What to do when the underlying template changes (e.g. PAN-OS upgrade). OPPORTUNISTIC is the only recommended value. Also PROACTIVE is allowed. | string | "OPPORTUNISTIC" | no |
| zones | A map of the zone names for zonal managed instance groups. A managed instance group will be created for every zone entered. Required if regional_mig is set to false. | map(string) | {} | no |
Outputs
| Name | Description |
|---|---|
| pubsub_subscription_iam_member_etag | The etag of the Pub/Sub IAM Member. |
| pubsub_subscription_id | The resource ID of the Pub/Sub Subscription. |
| pubsub_topic_id | The resource ID of the Pub/Sub Topic. |
| regional_instance_group_id | The resource ID of the regional VM-Series managed instance group. This output should only be used when regional_mig is set to true. |
| zonal_instance_group_ids | The resource IDs of the zonal VM-Series managed instance groups. This output should only be used when regional_mig is set to false. |